Yasin Beceni and Susen Aklan of BTS clarify Turkey’s data protection regulations on data controller registry obligations
Article 16 of Law no. 6698 on the Protection of Personal Data (DP Law) introduced a general obligation on data controllers to register before the Data Controllers Registry that is to be maintained by the Turkish Data Protection Board.
Obligation of foreign data controllers to register before the Registry
With the Regulation on the Data Controllers Registry and a number of board decisions, the board determined the scope of the obligation of registration and clarified the types of data controller that would be under the obligation to register. As per the regulation and the board decisions, it has been determined that no exemptions shall apply to foreign data controllers acting as data controllers1 pursuant to Turkish data protection legislation and that all such foreign data controllers must carry out their registration processes by the deadline of 31 December 2019.
Obligation to maintain Personal Data-Processing Inventory
All data controllers under the obligation to register must maintain a data processing inventory, a document that is similar in format to records of processing maintained as per Article 30 of the General Data Protection Regulation (GDPR). Stated in the table opposite is a comparison of the inventory and records of processing.
1. Unlike Article 3/2 of GDPR, there is no explicit provision regulating territorial scope under the DP Law. However, under certain decisions of the board, Article 3/2 is taken as a reference on interpretation of the DP Law.
| Records of processing | Inventory | |
|---|---|---|
| Obligation | An enterprise or an organisation employing fewer than 250 persons is not obliged to maintain records of processing unless the processing: • is likely to result in a risk; • is not occasional; • includes special categories of data or personal data relating to criminal convictions and offences.The processor and processor’s representative will maintain a record of processing. |
All data controllers under the obligation to register must maintain an inventoryProcessors are not obliged to maintain an inventory |
| Contact details | Name and contact details of the controller, the joint controller, the controller’s representative and the data protection officer | Not explicitly stated. However, contact details of the controller and the controller’s representative should be submitted to the registry. |
| Purpose | Purposes of processing | Purposes of processing |
| Personal data | Categories of personal data | Categories of personal data |
| Data subjects | Categories of data subjects | Categories of data subjects |
| Recipients | Categories of recipients to whom the personal data has been or will be disclosed, including recipients in third countries or international organisations | Categories of third-party recipients |
| Cross-border transfers | Identification of that third country or international organisation and the documentation of suitable safeguards | Categories of personal data transferred abroad |
| Retention | Envisaged time limits for erasure of the different categories of data | Maximum retention periods |
| Security | A general description of the technical and organisational security measures | Administrative and technical measures |
| Legal ground | N/A | Legal grounds of the processing |
For more information, please contact:Yasin Beceni, managing partner – attorney at law
Susen Aklan, managing associate – attorney at law
BTS & Partners